Hi, The attached diffs are for a proposed NMU of gif2png to fix CVE-2010-4694 and CVE-2010-4695 in the stable suites.
In stable, the existing patch is extended based on the maintainer's upload in sid. In oldstable, the entire patch is backported because it hadn't yet been applied at all. The patch itself is also attached for clarity. If you're happy with the changes, I will announce the NMU and upload them to DELAYED/2 to give the maintainer time to react. He has had a PRSC 'please fix' request already and failed to respond, and I'd like to get it into 6.0.1 if possible. jona@lupin:/tmp$ diffstat gif2png-prsc-lenny.diff debian/patches/10_fix_gif2png_c.dpatch | 61 +++++++++++++++++++++++++++++++++ gif2png-2.5.1/debian/changelog | 8 ++++ gif2png-2.5.1/debian/patches/00list | 1 3 files changed, 70 insertions(+) jona@lupin:/tmp$ diffstat gif2png-prsc-squeeze.diff changelog | 8 ++++++++ patches/10_fix_gif2png_c.dpatch | 36 ++++++++++++++++++++++++++++-------- 2 files changed, 36 insertions(+), 8 deletions(-) Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
diff -u gif2png-2.5.1/debian/changelog gif2png-2.5.1/debian/changelog --- gif2png-2.5.1/debian/changelog +++ gif2png-2.5.1/debian/changelog @@ -1,3 +1,11 @@ +gif2png (2.5.1-3.1) oldstable; urgency=low + + * Non-maintainer upload as part of the Point Release Security effort + * CVE-2010-4694, CVE-2010-4695: Backport 10_fix_gif2png_c.dpatch from + the package in unstable (closes: #610479) + + -- Jonathan Wiltshire <j...@debian.org> Fri, 25 Feb 2011 09:50:27 +0000 + gif2png (2.5.1-3) unstable; urgency=low * Fixed debian/watch file diff -u gif2png-2.5.1/debian/patches/00list gif2png-2.5.1/debian/patches/00list --- gif2png-2.5.1/debian/patches/00list +++ gif2png-2.5.1/debian/patches/00list @@ -1,2 +1,3 @@ 10_write_text_comment +10_fix_gif2png_c.dpatch 20_manpage_fixes only in patch2: unchanged: --- gif2png-2.5.1.orig/debian/patches/10_fix_gif2png_c.dpatch +++ gif2png-2.5.1/debian/patches/10_fix_gif2png_c.dpatch @@ -0,0 +1,61 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 10_fix_gif2png_c.dpatch by Erik Schanze <er...@debian.org> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: - clarify if/else construct, because of compiler warning +## DP: - prevent buffer overflow with strcpy, closes: #550978 + +@DPATCH@ +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' gif2png-2.5.4~/gif2png.c gif2png-2.5.4/gif2png.c +--- gif2png-2.5.4~/gif2png.c 2010-10-20 16:20:07.000000000 +0200 ++++ gif2png-2.5.4/gif2png.c 2011-02-12 01:14:29.530909414 +0100 +@@ -639,6 +639,7 @@ + int num_pics; + struct GIFelement *start; + int i, suppress_delete = FALSE; ++ int file_ext_max; + char *file_ext; + + if (fp == NULL) return 1; +@@ -673,9 +675,11 @@ + + /* create output filename */ + +- strcpy(outname, fname); ++ strncpy( outname, fname, sizeof( outname ) ); ++ outname[sizeof( outname ) - 1] = 0; + + file_ext = outname+strlen(outname)-4; ++ file_ext_max = sizeof(outname) - ( strlen(outname) - 4 ); + if (strcmp(file_ext, ".gif") != 0 && strcmp(file_ext, ".GIF") != 0 && + strcmp(file_ext, "_gif") != 0 && strcmp(file_ext, "_GIF") != 0) { + /* try to derive basename */ +@@ -686,7 +690,8 @@ + } + if (file_ext<outname || *file_ext != '.') { + /* as a last resort, just add .png to the filename */ +- file_ext = outname+strlen(outname); ++ file_ext = outname + (size_t)(( strlen( outname ) <= sizeof( outname ) - 1 - 4 )? strlen( outname ) ++ : sizeof( outname ) - 1 - 4); + } + } + +@@ -708,7 +713,7 @@ + fclose(fp); + ++numpngs; + start = NULL; +- sprintf(file_ext, ".p%02d", i); ++ snprintf(file_ext, file_ext_max - 1, ".p%02d", i); + } + } + } +@@ -863,7 +868,8 @@ + } + } else { + for (i = ac;i<argc; i++) { +- strcpy(name, argv[i]); ++ strncpy(name, argv[i], sizeof name - sizeof ".gif"); ++ name[sizeof name - sizeof ".gif"] = '\0'; + if ((fp = fopen(name, "rb")) == NULL) { + /* retry with .gif appended */ + strcat(name, ".gif");
diff -u gif2png-2.5.2/debian/changelog gif2png-2.5.2/debian/changelog --- gif2png-2.5.2/debian/changelog +++ gif2png-2.5.2/debian/changelog @@ -1,3 +1,11 @@ +gif2png (2.5.2-2.1) stable; urgency=low + + * Non-maintainer upload as part of the Point Release Security effort + * CVE-2010-4694, CVE-2010-4695: Backport further work on + 10_fix_gif2png_c.dpatch from the package in unstable (closes: #610479) + + -- Jonathan Wiltshire <j...@debian.org> Fri, 25 Feb 2011 09:14:35 +0000 + gif2png (2.5.2-2) unstable; urgency=low * Adapted 10_fix_gif2png_c.dpatch, closes: #550978 diff -u gif2png-2.5.2/debian/patches/10_fix_gif2png_c.dpatch gif2png-2.5.2/debian/patches/10_fix_gif2png_c.dpatch --- gif2png-2.5.2/debian/patches/10_fix_gif2png_c.dpatch +++ gif2png-2.5.2/debian/patches/10_fix_gif2png_c.dpatch @@ -6,10 +6,18 @@ ## DP: - prevent buffer overflow with strcpy, closes: #550978 @DPATCH@ -diff -urNad gif2png-2.5.2~/gif2png.c gif2png-2.5.2/gif2png.c ---- gif2png-2.5.2~/gif2png.c 2009-11-11 21:28:02.000000000 +0100 -+++ gif2png-2.5.2/gif2png.c 2009-12-05 00:11:56.790419772 +0100 -@@ -656,7 +656,7 @@ +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' gif2png-2.5.4~/gif2png.c gif2png-2.5.4/gif2png.c +--- gif2png-2.5.4~/gif2png.c 2010-10-20 16:20:07.000000000 +0200 ++++ gif2png-2.5.4/gif2png.c 2011-02-12 01:14:29.530909414 +0100 +@@ -639,6 +639,7 @@ + int num_pics; + struct GIFelement *start; + int i, suppress_delete = FALSE; ++ int file_ext_max; + char *file_ext; + + if (fp == NULL) return 1; +@@ -655,7 +656,7 @@ if (num_pics <= 0) return 1; @@ -18,7 +26,7 @@ if (num_pics != 1) { fprintf(stderr, "gif2png: %s is multi-image\n", fname); -@@ -673,6 +673,7 @@ +@@ -666,6 +667,7 @@ printf("%s\n", fname); return 0; } @@ -26,7 +34,7 @@ /* eliminate use of transparency, if that is called for */ if (matte) -@@ -680,7 +681,8 @@ +@@ -673,9 +675,11 @@ /* create output filename */ @@ -35,8 +43,11 @@ + outname[sizeof( outname ) - 1] = 0; file_ext = outname+strlen(outname)-4; ++ file_ext_max = sizeof(outname) - ( strlen(outname) - 4 ); if (strcmp(file_ext, ".gif") != 0 && strcmp(file_ext, ".GIF") != 0 && -@@ -693,7 +695,8 @@ + strcmp(file_ext, "_gif") != 0 && strcmp(file_ext, "_GIF") != 0) { + /* try to derive basename */ +@@ -686,7 +690,8 @@ } if (file_ext<outname || *file_ext != '.') { /* as a last resort, just add .png to the filename */ @@ -46,7 +57,16 @@ } } -@@ -874,7 +877,8 @@ +@@ -708,7 +713,7 @@ + fclose(fp); + ++numpngs; + start = NULL; +- sprintf(file_ext, ".p%02d", i); ++ snprintf(file_ext, file_ext_max - 1, ".p%02d", i); + } + } + } +@@ -863,7 +868,8 @@ } } else { for (i = ac;i<argc; i++) {
#! /bin/sh /usr/share/dpatch/dpatch-run ## 10_fix_gif2png_c.dpatch by Erik Schanze <er...@debian.org> ## ## All lines beginning with `## DP:' are a description of the patch. ## DP: - clarify if/else construct, because of compiler warning ## DP: - prevent buffer overflow with strcpy, closes: #550978 @DPATCH@ diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' gif2png-2.5.4~/gif2png.c gif2png-2.5.4/gif2png.c --- gif2png-2.5.4~/gif2png.c 2010-10-20 16:20:07.000000000 +0200 +++ gif2png-2.5.4/gif2png.c 2011-02-12 01:14:29.530909414 +0100 @@ -639,6 +639,7 @@ int num_pics; struct GIFelement *start; int i, suppress_delete = FALSE; + int file_ext_max; char *file_ext; if (fp == NULL) return 1; @@ -655,7 +656,7 @@ if (num_pics <= 0) return 1; - if (webconvert) + if (webconvert) { if (num_pics != 1) { fprintf(stderr, "gif2png: %s is multi-image\n", fname); @@ -666,6 +667,7 @@ printf("%s\n", fname); return 0; } + } /* eliminate use of transparency, if that is called for */ if (matte) @@ -673,9 +675,11 @@ /* create output filename */ - strcpy(outname, fname); + strncpy( outname, fname, sizeof( outname ) ); + outname[sizeof( outname ) - 1] = 0; file_ext = outname+strlen(outname)-4; + file_ext_max = sizeof(outname) - ( strlen(outname) - 4 ); if (strcmp(file_ext, ".gif") != 0 && strcmp(file_ext, ".GIF") != 0 && strcmp(file_ext, "_gif") != 0 && strcmp(file_ext, "_GIF") != 0) { /* try to derive basename */ @@ -686,7 +690,8 @@ } if (file_ext<outname || *file_ext != '.') { /* as a last resort, just add .png to the filename */ - file_ext = outname+strlen(outname); + file_ext = outname + (size_t)(( strlen( outname ) <= sizeof( outname ) - 1 - 4 )? strlen( outname ) + : sizeof( outname ) - 1 - 4); } } @@ -708,7 +713,7 @@ fclose(fp); ++numpngs; start = NULL; - sprintf(file_ext, ".p%02d", i); + snprintf(file_ext, file_ext_max - 1, ".p%02d", i); } } } @@ -863,7 +868,8 @@ } } else { for (i = ac;i<argc; i++) { - strcpy(name, argv[i]); + strncpy(name, argv[i], sizeof name - sizeof ".gif"); + name[sizeof name - sizeof ".gif"] = '\0'; if ((fp = fopen(name, "rb")) == NULL) { /* retry with .gif appended */ strcat(name, ".gif");
signature.asc
Description: Digital signature